From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 8 Oct 2021 21:59:48 +0000 (-0500)
Subject: We should only call virtual server for depth 0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32d902b914e37d2654e4fbc495060ddbc5dbc5f2;p=thirdparty%2Ffreeradius-server.git

We should only call virtual server for depth 0
---

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 5e47e3b2c97..55174b0698b 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -260,8 +260,13 @@ done:
 	 *	If verification hasn't already failed
 	 *	and we're meant to verify this cert
 	 *	then call the virtual server.
+	 *
+	 *	We only call the virtual server for
+	 *      the certificate at depth 0 as all
+	 *      other certificate attributes should
+	 *	have been added by this point.
 	 */
-	if (my_ok && verify_applies(conf->verify.attribute_mode, depth, untrusted)) {
+	if (my_ok && (depth == 0)) {
 		if (conf->virtual_server && tls_session->verify_client_cert) {
 			RDEBUG2("Requesting certificate validation");